Funkwhale, security, review wanted 

If you have some knowledge in web security and Content Security Policy, would you mind having a look at dev.funkwhale.audio/funkwhale/ ?

This is an attempt to harden the security of the web UI via a CSP (and some additional HTTP headers) and to reduce the attack surface in case of exploits.

#security #funkwhale #helpwanted

Follow

Funkwhale, security, review wanted 

@eliotberriot That seems pretty good already. You could:

1) add `frame-ancestors 'none';` and `X-Frame-Options: deny` (the later for backwards compatibility)
2) setup preloaded hsts to disable a whole set of vectors that exist due to backwards compatibility with unencrypted http
3) configure a referrer-policy to prevent leaks of possibly sensitive data in the url

Please don't hesitate to ask if you have further questions or need help.

Funkwhale, security, review wanted 

@sn0int thank you, I'll add your comment as a review to ensure we don't forget this ❤️

Sign in to participate in the conversation
chaos.social

chaos.social – a Fediverse instance for & by the Chaos community